Industry. Cyber Security. Information Sharing at the Technical Level. Guidelines

Transcription

1 NATO Communications and Information Agency (NCI Agency) - Industry Cyber Security Information Sharing at the Technical Level Guidelines Effective date: 28 March 2014 Revision No: Rev 1

2 Change History Revision Number Date Change Original October 2013 Rev 1 March 2014 Added Para 8 (9)

3 1. Introduction NATO Legal Framework: Definitions Purpose of the Programme Programme description Eligibility Procedures Information Sharing General provisions Termination... 6

4 1. Introduction NATO and industry working with NATO continue to face increasing risks that Information exchanged or stored on their networks and systems can be accessed, affected or infected through malicious cyber acts thereby causing damage to the Alliance and its Members. NATO and industry need to be able to prevent and counter such threats and to analyse and share data in order to understand the nature, extent and possible sources of such incidents and to react to threats. The NATO Communications and Information Agency (NCI Agency) is responsible for identifying and promoting the development of essential capabilities that meet NATO s and its Member Nations needs in ensuring cyber safety and security. NATO capabilities to identify, prevent, detect and respond to external threats to NATO CIS infrastructure are primarily performed by the NCI Agency NATO Computer Incident Response Capability Technical Centre (NCIRC TC). With these Guidelines, the NCI Agency implements a voluntary bilateral Cyber Information Sharing Programme which will allow industry working with NATO and NATO to share cyber security Information in order to mutually enhance situational awareness and the protection of their networks and systems. The Guidelines are applicable to Partners as defined herein and the NATO CI Agency, together referred to as Participants of the Information Sharing Programme ( Programme ). The objectives of these Guidelines are to establish: (1) the basis for participation in this Programme, (2) the confidentiality and security of the Information shared by the Partners, and (3) a set of guidelines for Partners on how to share Information. These Guidelines set out NCI Agency s Programme with respect to Information sharing on cyber security, focussing on the following areas: Purpose of the Programme; Eligibility; Procedures; Information sharing. 2. NATO Legal Framework: a) North Atlantic Treaty, signed on 4 April 1949; b) The Management of Non-Classified Information, C-M(2002)60 c) Council Decision on the Establishment of the NATO Communications and Information Organisation (C-M(2012)0049-AS1), dated 13 June NATO is operating within the framework of a number of agreements concluded between the Member States of the Alliance. These agreements are the legal bases for all actions to be 1

5 undertaken by the Organisation in order to fulfil its goal and purposes, based on activities as specified in the basic agreements/arrangements, and further developed through the decision making process in NATO and the implied powers of the Organisation in such respect. 3. Definitions (1) Cyber: relating to, or involving computers or computer networks, including software and data. (2) Cyber security: body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. (3) Information: any communications or representation of knowledge such as facts, data or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual forms. (4) Information system: a discrete set of Information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of Information. (5) NATO Information means Information provided by the NCI Agency under the voluntary Programme, including but not limited to cyber threat Information and Information assurance practices. (6) Participants: means Partners and NATO CI Agency when acting together under the Information Sharing Programme. (7) Partner: industry stakeholders and any other NATO entity willing to participate. (8) Partner Information: means Information provided by a Partner under the voluntary Programme, including but not limited to cyber threat Information and Information assurance practices. (9) Programme: set up to establish the voluntary bilateral Information sharing to allow Partners and NATO to share cyber security Information in order to enhance the protection of their networks and systems. (10) Threat: any circumstance or event which may potentially have an adverse impact on organisational operations, organisation assets, individuals, other organisations, or larger entities through unauthorised access, destruction, disclosure, modification of Information and/or denial of service. 4. Purpose of the Programme Information exchanged between the Partners and NCI Agency will help the Participants to better understand threat patterns and attack trends, thereby improving the application of preventive measures and reducing the scope for future attacks. The aim is to increase awareness of the extent and severity of cyber threats to NATO and Partners and ultimately to enhance and supplement capabilities to safeguard Information. The Programme aims at bilateral Information sharing on cyber threat Information and Information security best practices, cyber threat indicators and mitigation measures. The main benefit of participation in the Programme is access to threat assessment, prevention, and mitigation Information. Partners are encouraged to share reports of intrusion events and to 2

6 participate in damage assessments with the NCI Agency. Partners are further encouraged to report any cyber security incident that may be of interest to NATO. NCI Agency may share cyber threat Information and Information assurance best practices to Partners and may analyse the Information reported by the Partners regarding any cyber incident, to glean Information regarding cyber threats, vulnerabilities and the development of effective response measures. NCI Agency may also analyse reports to accumulate Information regarding cyber threats and vulnerabilities, and develop effective response measures which it may share with Partners. 5. Programme description The NCI Agency public portal will provide information on the principles of the Information Sharing Programme and the points of contact within the NCI Agency. Potential Partners can apply but acceptance will be at NCI Agency s discretion. NCI Agency may also invite potential Partners to apply. 6. Eligibility Potential Partners are eligible to apply for participation in the Programme if the following conditions are met: (1) Industry must be from a NATO member nation. (2) Requests for participation will be reviewed by the NCI Agency NCIRC TC on a case-by-case basis. Potential partners will need to show that they are in a position to contribute a balanced share of information. (3) Participation in the Programme is subject to the conclusion of the standardized bilateral Industry Partnership Agreement ( I-PA ) between a Partner and NCI Agency. The Industry Partnership Agreement provides the legal and security requirements for Programme participation and will include provisions on the confidentiality of the Information provided by the Participants. (4) Partners agree to comply with the requirements for managing non-classified Information in accordance with the document referenced at 2b) herein. (5) This agreement is not considered an alternative to, conflict with or amend existing arrangements (e.g. on security cooperation). 7. Procedures Information will only be shared subject to the following prerequisites: (1) Conclusion of the Industry Partnership Agreement including any agreed additional terms and conditions implementing the voluntary Information sharing activities between the NCI Agency and the Partner. 3

7 (2) The NCI Agency NCIRC Programme Manager for the Information Sharing Programme will be indicated on the NCI Agency portal. Points of contact authorised to exchange Information relevant to the Programme will be further identified in the Industry Partnership Agreement. (3) Partners will provide their primary POC for participation in the Programme and any other representatives authorised to communicate with the NCI Agency NCIRC TC under this Programme. Details will be indicated in the Industry Partnership Agreement. 8. Information Sharing The following principles apply to the sharing of Information under the Programme: (1) Confidentiality general rule The originator of the Information to be shared under the Programme decides on the level of confidentiality of such Information and on the appropriate method of disclosure using the traffic light protocols at Annex A. (2) Non-classified Information The Information exchange will be limited to non-classified Information. The source of the Information retains ownership. Depending on the sensitivity of the Information, the owner is permitted to limit the use of the Information and determine how it is communicated. Information will be disclosed either: (1) by delivery of items electronically (in encrypted format if required by the sensitive nature of the information); (2) by oral and/or visual presentation. Disclosure of Information may be indicated through the use of Traffic Light Protocol (TLP) on Information sharing as laid down in the Guidelines. The TLP is based on the concept of the originator labelling information with one of four colours to indicate what further dissemination, if any, can be undertaken by the recipient. (3) Classified Information If, under exceptional circumstances, there is the need to exchange classified Information, it will not be communicated under the Industry Partnership Agreement. Arrangements with NATO member Nations for the exchange of classified Information are in place and may be used if the industry Partner has the appropriate security clearance to handle such Information. Points of contact can be made available by the NCI Agency NCIRC TC as and when required. (4) Initial incident reporting Partners may choose to report cyber incidents to NCI Agency if they determine that the incident may be relevant to Information assurance activities of NCI Agency. NCI Agency may initiate an exchange with Partners by requesting Information or by sending a report. Participants are encouraged to provide timely, actionable Information. (5) NATO and Partner Information a. A foundational element of this bilateral Programme is the recognition that the Information shared between the Participants may include extremely sensitive non- 4

8 public Information, which must be protected against unauthorized uses and disclosures in order to preserve the integrity of the Programme. For example, cyber threat Information shared by NCI Agency must be protected against compromise by the cyber threat, which may already have a presence on the Partner s system; and thus the Partner must utilise security measures and limited sharing within the company, to ensure that the cyber threat Information retains its operational value-- for the benefit of all of the Programme Participants. b. Similarly, the Partners typically treat Information regarding potential cyber intrusion incidents on their networks as extremely sensitive proprietary, commercial, or operational Information and tightly control that Information within the company, let alone sharing outside the company. The Partners share this type of Information with the NCI Agency only on the condition that the NCI Agency safeguards that Information against any unauthorized use or release (both within and outside the NCI Agency), which could cause substantial competitive harm to the Partner that reported that Information. c. In addition, during any follow-on forensics or assessment activities, the NCI Agency and Partners may share additional types of sensitive Information, which may include Information regarding the types of Information that may have been compromised during the reported incident--potentially including the most sensitive types of nonclassified Information. d. NCI Agency and the Partners acknowledges that Information shared under this Programme may include extremely sensitive proprietary, commercial, or operational Information that is not customarily shared outside and that the unauthorised use or disclosure of such Information could cause substantial harm to the NATO or the Partner that reported that Information. NCI Agency and the Partners will take all reasonable steps to protect against such unauthorised use or release of Information received or derived from Information received. NCI Agency and the Partners will restrict their internal use and disclosure of Information to only internal staff and support contractors that are bound by appropriate confidentiality obligations and restrictions relating to the handling of sensitive Information and who have a need to know. (6) Generic Information Without disclosing Partner or NATO specific Information, Participants may also provide generic non-sensitive Information they develop concerning the nature, scope, prevention and mitigation of cyber-attacks to other Participants. (7) Industry Partnership Agreement In recognition of the protections to be given to the shared Information, NCI Agency and each Partner must enter into a standardized Industry Partnership Agreement (I-PA) which will describe the procedures, the Information sharing principles and the confidentiality measures to protect the exchanged Information. (8) Voluntary participation 5

9 Participation in the Programme is voluntary and does not obligate the Partners or NCI Agency to share Information, to utilize Information provided, or to implement any changes to their Information systems. (9) Non attribution The recipient shall not use or further disclose discloser s information in a manner which attributes it to the discloser, unless permitted by the discloser, either expressly or implicitly. 9. General provisions (1) Participants will conduct their activities under this Programme in accordance with applicable laws and regulations, including restrictions on the interception, monitoring, access, use, and disclosure of electronic communications or data. Participants bear responsibility for their own actions under this Programme. (2) A Partner s voluntary participation in this Programme will not create any competitive advantage or preferential treatment in NATO source selection activities. Participation does not in any way present an endorsement of the Partner, its Information systems or products and services. (3) Participants exercise due care in the collection, storage and the subsequent access of any resulting Information collated for the purposes of the Programme. (4) Information may be retained for digital forensics purposes. (5) Neither NCI Agency nor the Partners will issue media statements or make public announcements relating to their engagement in this Information sharing Programme. This includes the public use of the name (including abbreviations), emblem, logo, or official seal of any other party as a result of participating in the Programme. (6) This is a voluntary Programme and Participants are free to decide whether to implement changes to their Information systems or otherwise utilise best practices which they become aware of through this Programme. Any action is taken at the Participant s own risk and expense and other Participants will not be liable for damages caused by the implementation or the nonimplementation. (7) Nothing in this Programme is intended to abrogate NATO s or the Partner s rights or obligations regarding the handling, safeguarding, sharing, or reporting of Information (whether classified or not), or regarding any physical, personnel, or other security requirements, as required by law, regulation, policy, or a valid legal contractual obligation. 10. Termination Partners and the NCI Agency may unilaterally limit or discontinue participation in the Programme at any time. Shared Information cannot be reclaimed. However, termination shall not relieve the Partners or NCI Agency of obligations to protect against the unauthorised use or disclosure of Information exchanged under this Programme. 6

10 Annex A Traffic Light Protocol (TLP) Matrix The Traffic Light Protocol (TLP) is a set of designations used to ensure that sensitive information is shared with the correct audience. It employs four colours to indicate different degrees of sensitivity and the corresponding sharing considerations to be applied by the recipient(s). 1 The originator of information to be handled according to TLP should label the information with the correct TLP color in order to indicate how widely that information may be disseminated, by including 'TLP: [Color]' in unambiguous text in the header and footer of the document and initialing the markings. Colour When should it be used? How may it be shared? RED Sources may use TLP: RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP: RED information with any parties outside of the specific exchange, meeting, or conversation in which it is originally disclosed. AMBER Sources may use TLP: AMBER when information requires support to be effectively acted upon, but carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP: AMBER information with members of their own organization who need to know, and only as widely as necessary to act on that information. GREEN Sources may use TLP: GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. WHITE Sources may use TLP: WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. TLP: WHITE information may be distributed without restriction, subject to copyright controls. 1 Based on the version presented under 7